Tech & Science Leaked report describes Federal Parliament's cyber security as having 'low level of maturity'

21:45  12 february  2020
21:45  12 february  2020 Source:   abc.net.au

Cynch Security clinches government funding to tackle small business cyber challenges

  Cynch Security clinches government funding to tackle small business cyber challenges Cynch Security has secured just over $200,000 in government and matched funding, for a project mapping cyber challenges for small business.The funding is made up of $109,969 from the AustCyber Projects Fund for backing industry-led projects, matched with $100,000 from industry.

a large white building: A leaked report describes cyber security at the Department of Parliamentary Services as © Provided by ABC NEWS A leaked report describes cyber security at the Department of Parliamentary Services as "ad hoc". (ABC News)

Federal Parliament failed to develop effective methods for preventing cyber intrusions and did not regularly update some sensitive information systems, according to a draft internal audit dated three months after a major cyber attack was uncovered.

7.30 can reveal that a scathing internal audit report written by KPMG for the Department of Parliamentary Services concluded the agency had an "ad hoc" approach to all elements of information security management, the lowest rating possible under the scoring metric used.

UK defies US and refuses to ban Huawei from 5G networks

  UK defies US and refuses to ban Huawei from 5G networks The announcement defines high risk vendors as those that “pose greater security and resilience risks to UK telecoms networks.” It says that the country’s National Cyber Security Centre will issue guidance to UK telcos on high risk vendors. The announcement is likely to anger officials in the Trump administration who have banned government use of Huawei’s tech, and have prevented American firms from doing business with the company, citing national security concerns. The administration has since been lobbying fiercely for the UK to ban Huawei’s involvement in its 5G infrastructure.

The findings of the draft report, titled the Protective Services Protective Framework (PSPF) Alignment Review, indicate that at one point the department's contracted review team considered Parliament may have been more vulnerable than was previously known.

The department has overall responsibility for cyber security in Parliament, including the electoral and Commonwealth offices of MPs and Senators. The network it is responsible for includes over 5,000 users, 5,000 PCs and laptops, 1,000 servers and more than 2,000 mobile devices.

The emergence of the draft report is likely to raise further concerns about the severity of a major cyber attack in February 2019 that breached Australia's parliamentary network and also separately targeted the major political parties.

Update Android To Fix A Major Bluetooth Bug

  Update Android To Fix A Major Bluetooth Bug Anyone with an older Android device running Android 8 or 9 needs to be wary of using Bluetooth. A bug was discovered by cyber-security firm ERNW that allows anyone within range of a Bluetooth-enabled Android device to gain access to the device’s storage. The hacker will need to know some extra details about the device—specifically its Bluetooth MAC address—before they can fully access the internal storage remotely, but as the ENRW’s bug report explains, that’s relatively easy to figure out.

Critically, the draft review found that "Essential Eight strategies and other methods to prevent cyber intrusions are at a low level of maturity".

"Essential Eight strategies" are key pillars of cyber security management established by the Australian Signals Directorate that all government agencies are expected to comply with.

A spokeswoman for the Department of Parliamentary Services told 7.30 that: "The confidential working draft KPMG PSPF Alignment Review to which you refer does not reflect the true state of the department's PSPF maturity."

'Lack of an overarching approach'

The draft report also found significant deficiencies in the management of key systems that hold potentially classified information.

"Some information systems are not regularly patched due to the legacy nature of their systems," it said.

In relation to how the agency handles classified and sensitive information, the draft report said that "critical information assets have not been identified".

Police clear Angus Taylor over letter

  Police clear Angus Taylor over letter The Australian Federal Police has found no evidence Energy Minister Angus Taylor was involved in falsifying information. © AAP Image/Mick Tsikas The Australian Federal Police statement came a day after it was revealed the powerful privileges committee would not investigate whether Mr Taylor misled parliament over his use of a fake document to criticise Sydney's mayor.The NSW Police financial crime squad referred the matter to the AFP in December.

Physical security of computer assets also remains a significant issue. The draft report noted that "DPS security branch is unable to identify all critical assets within APH".

It also added that "no security zones within DPS' remit have undergone formal zone certification or accreditation".

Overall it found that "a large contributing factor to the low maturity for the department is the lack of an overarching approach defined for protective security management and security risk management processes".

"Up until now, the Department has had a responsive approach to protective security management, rather than based on formal, documented, and integrated risk-based approach."

The findings of a "low level of maturity" suggest the department has not developed a clear framework for managing key information security protocols.

The spokeswoman for the Department of Parliamentary Services told 7.30 in a statement: "Without commenting directly on this confidential draft document, it reflects early fieldwork by KPMG and was not subject to verification by the department and does not incorporate a body of work undertaken to demonstrate that the department's PSPF maturity rating of 'managing' for the relevant criteria.

Di Natale calls for diversity, reform

  Di Natale calls for diversity, reform Outgoing federal Greens leader Richard Di Natale has called for donations reform and a more diverse parliament. Following his announcement, Senator Di Natale said parliament must focus on attracting people who bring "a different set of values"."You only need to look around to know this place is stacked with career politicians, that it's very unrepresentative of the Australian community," he told reporters in Canberra."We're supposed to be a representative democracy but this place doesn't represent the Australian people.

"The final report of the alignment review in July 2019 did not make adverse findings in relation to the department achieving an acceptable maturity rating."

She said that the program the department undertook to assess how it met the PSPF criteria showed that it achieved "a maturity rating of 'managing' against 85 of the 88 relevant PSPF criteria and 'developing' against three criteria. The department did not rate 'ad hoc' against any of these 88 criteria."

A KPMG spokesperson said: "KPMG does not comment on client work but I can confirm we were engaged by the Department of Parliamentary Services in 2019 to provide advice in relation to the Protective Security Policy Framework."

Scale of last year's cyber attack unknown

The specific circumstances surrounding the Parliament House cyber attack last year remain largely concealed from the public and questions have recently been raised over the scale and severity of the attack.

In January, former defence minister Christopher Pyne and Martin Parkinson, the former secretary of the Department of Prime Minister and Cabinet, spoke on Mr Pyne's podcast at length about cyber security in government and in the private sector.

Mr Parkinson observed how he was "amazed actually at how little concern is expressed by the public when these breaches occur".

The app at the centre of the Iowa caucus vote delay wasn't hacked, according to Iowa Democratic Party

  The app at the centre of the Iowa caucus vote delay wasn't hacked, according to Iowa Democratic Party After results from the Iowa caucus were delayed Monday evening, the Iowa Democratic Party said the wait was caused by inconsistencies in the reported results. The chaos centres around a vote-relaying app made by a company called Shadow that was supposed to help get results in faster. The use of an app raised concerns about security and potential hacking, but the Iowa Democratic Party said on Tuesday that it has "every indication that our systems were secure and there was not a cyber security intrusion.

He referenced a cyber attack on ANU as one example, and the attack on Parliament House as another.

Mr Pyne then responded: "You and I know how much worse it all was, which we can never talk about."

Mr Pyne told 7.30 he was referring to cyber security incidents generally, and not any specific breach.

Following the publication of Mr Pyne's comments last week, the speaker of the House of Representatives, Tony Smith, rebuked the comments and said any suggestion the public had not received the full facts was "false".

He also said: "I would just finally say the podcast also refers to a cyber intrusion at the Australian National University … so perhaps it shouldn't be inferred that the comments necessarily relate to the parliamentary network."

In a Senate estimates hearing in November, the president of the Senate, Scott Ryan, said the breach occurred when "a small number of users visited a legitimate external website that had been compromised".

This led to the injection of malware into the parliamentary computing network.

The Department of Parliamentary Services became aware of the breach on January 31, 2019. The attacker was present in their systems until February 8, 2019.

Senator Ryan had said only a small amount of non-sensitive data was taken, but he added: "While we cannot precisely guarantee that no other data was removed, extensive investigation has provided no evidence of this."

The small amount of data known to be taken from the network was described as "corporate data and data related to a small number of parliamentarians".

At least two parliamentarians have been informed that some of their data was taken.

The Department of Parliamentary Services' latest annual report says that "significant advancements have been made this year to strengthen our physical and cyber security capability".

Senator Jacqui Lambie calls for Australians to 'trust' her on Q+A after calling out Morrison Government over sports rorts .
Just 21 per cent of Australians trust members of Federal Parliament, and while Senator Jacqui Lambie backs that statistic she also wants Australians to trust her over secret deals. But Senator Lambie then came under fire herself from an audience member for voting with the Government against the Medevac bill, which could allow refugees potentially lifesaving treatment.The audience member accused the Senator of being "sucked into the vortex of secrecy that is our current government".Senator Lambie denied that was the case and used national security to justify her secrecy."This has been very tough for me.

—   Share news in the SOC. Networks

Topical videos:

usr: 1
This is interesting!